Use the Conformity Knowledge Base AI to help improve your Cloud Posture

MQ Auto Minor Version Upgrade

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: MQ-001

Ensure that your Amazon MQ brokers have the Auto Minor Version Upgrade feature enabled in order to receive automatically minor engine upgrades, as Apache releases new versions. Automatic upgrades occur during the broker maintenance window, defined by the day of the week, the time of day, and the time zone (UTC by default). Each version upgrade is available only after it is tested and approved by Amazon Web Services (AWS).

This rule can help you with the following compliance standards:

  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

Amazon MQ is a managed service for Apache ActiveMQ, a popular open-source message broker. As AWS MQ deprecates minor engine versions and provide new ones for upgrade, it is highly recommended that the new versions of the engine are automatically applied. When the last version number within the release is replaced (i.e. 5.15.0 to 5.15.x), the version changed is considered minor. With Auto Minor Version Upgrade feature enabled, the version upgrades will occur automatically during the specified maintenance window so that your Amazon MQ brokers can get the new software features, bug fixes and security patches.


Audit

To determine if the Auto Minor Version Upgrade feature is enabled for your Amazon MQ brokers, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon MQ console at https://console.aws.amazon.com/amazon-mq/.

03 In the main navigation panel, under Amazon MQ, click Brokers.

04 Click on the name (link) of the MQ broker that you want to examine.

05 In the Details section, check the Automatic minor version upgrade attribute value listed under Maintenance. If the attribute value is set to No, the Auto Minor Version Upgrade feature is not enabled for the selected broker and the minor engine upgrades are not applied to the Amazon MQ broker as Apache releases new versions.

06 Repeat steps no. 4 and 5 for each Amazon MQ broker available within the current AWS region.

07 Change the AWS cloud region from the navigation bar and repeat the Audit process for other AWS regions.

Using AWS CLI

01 Run list-brokers command (OSX/Linux/UNIX) with custom query filters to list the ID of each Amazon MQ brokers available in the selected AWS region:

aws mq list-brokers
  --region us-east-1
  --query 'BrokerSummaries[*].BrokerId'

02 The command output should return the requested MQ broker IDs:

[
	"b-aaaabbbb-cccc-dddd-eeee-aaaabbbbcccc",
	"b-bbbbcccc-dddd-eeee-ffff-bbbbccccdddd"
]

03 Run describe-broker command (OSX/Linux/UNIX) using the ID of the Amazon MQ broker that you want to examine as the identifier parameter, to determine the Auto Minor Version Upgrade feature status for the selected MQ broker:

aws mq describe-broker
  --region us-east-1
  --broker-id b-aaaabbbb-cccc-dddd-eeee-aaaabbbbcccc
  --query 'AutoMinorVersionUpgrade'

04 The command output should return the requested feature status (true for enabled, false for disabled):

false

If the describe-broker command output returns false, as shown in the example above, the Auto Minor Version Upgrade feature is not enabled for the selected AWS MQ broker.

05 Repeat steps no. 3 and 4 for each Amazon MQ broker available in the selected AWS region.

06 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other AWS regions.

Remediation / Resolution

To enable the Auto Minor Version Upgrade feature for your Amazon MQ brokers, perform the following actions:

Using AWS CloudFormation

01 CloudFormation template (JSON):

{
	"AWSTemplateFormatVersion": "2010-09-09",
	"Description": "Disable Public Access for MQ Brokers",
	"Resources": {
		"MQBroker": {
			"Type": "AWS::AmazonMQ::Broker",
			"Properties": {
				"BrokerName": "cc-internal-broker",
				"DeploymentMode": "SINGLE_INSTANCE",
				"EngineType": "ActiveMQ",
				"EngineVersion": "5.15.0",
				"HostInstanceType": "mq.m5.large",
				"PubliclyAccessible": "false",
				"Users": [
					{
						"Password": "brokeruser",
						"Username": "brokerpassword"
					}
				],
				"AutoMinorVersionUpgrade": "true"
			}
		}
	}
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
	Description: Disable Public Access for MQ Brokers
	Resources:
	MQBroker:
		Type: AWS::AmazonMQ::Broker
		Properties:
		BrokerName: cc-internal-broker
		DeploymentMode: SINGLE_INSTANCE
		EngineType: ActiveMQ
		EngineVersion: 5.15.0
		HostInstanceType: mq.m5.large
		PubliclyAccessible: 'false'
		Users:
			- Password: brokeruser
			Username: brokerpassword
		AutoMinorVersionUpgrade: 'true'

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf):

terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 4.0"
		}
	}

	required_version = ">= 0.14.9"
}

provider "aws" {
	profile = "default"
	region  = "us-east-1"
}

resource "aws_mq_broker" "mq-broker" {
	broker_name         = "cc-internal-broker"
	deployment_mode     = "SINGLE_INSTANCE"
	engine_type         = "ActiveMQ"
	engine_version      = "5.15.0"
	host_instance_type  = "mq.m5.large"
	publicly_accessible = false
	
	user {
		username = "brokeruser"
		password = "brokerpassword"
	}

	auto_minor_version_upgrade = true

}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon MQ console at https://console.aws.amazon.com/amazon-mq/.

03 In the main navigation panel, under Amazon MQ, click Brokers.

04 Select the Amazon MQ broker that you want to reconfigure and choose Edit from the top-right menu.

05 In the Maintenance section, select the Enable automatic minor version upgrades checkbox to enable the Auto Minor Version Upgrade feature for the selected Amazon MQ broker.

06 Choose Save to apply the configuration changes. The automatic upgrades are applied during the maintenance window specified in the Maintenance section.

07 Repeat steps no. 4 – 6 to enable automatic minor version upgrades for each Amazon MQ broker available within the current AWS region.

08 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other AWS regions.

Using AWS CLI

01 Run update-broker command (OSX/Linux/UNIX) to enable the Auto Minor Version Upgrade feature for the selected Amazon MQ broker:

aws mq update-broker
  --region us-east-1
  --broker-id b-aaaabbbb-cccc-dddd-eeee-aaaabbbbcccc
  --logs Audit=true,General=true

02 The command output should return the new status of the Auto Minor Version Upgrade feature:

{
	"AutoMinorVersionUpgrade": true,
	"BrokerId": "b-aaaabbbb-cccc-dddd-eeee-aaaabbbbcccc"
}

03 (Optional) Run reboot-broker command (OSX/Linux/UNIX) if you want to apply the configuration changes immediately by rebooting the selected Amazon MQ broker. Otherwise, the automatic upgrades are applied during the scheduled maintenance window (the command does not produce an output):

aws mq reboot-broker
  --region us-east-1
  --broker-id b-aaaabbbb-cccc-dddd-eeee-aaaabbbbcccc

04 Repeat steps no. 1 – 3 to enable automatic minor version upgrades for each Amazon MQ broker available in the selected AWS region.

05 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other AWS regions.

References

Publication date Dec 22, 2017